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Description 

Data transmission method 

.Within the framework of optimizing current communication 
networks, particularly broadband subscriber access networks - 
5 also called access networks - access to broadband services 
such as, for example, the "broadband Internet connection" or 
"Video on Demand" is to be made available to a large number of 
subscribers in a cost-effective manner. 

In the subscriber access area of current communication 

10 networks, communication devices such as, for example, Network 
Termination (NT) devices are allocated to the subscribers or 
the subscriber via single wire or multiwire subscriber 
connecting lines connected to central switching devices or 
Digital Subscriber Line Access Multiplexers, DSLAM. An xDSL 

15 transmission method (for example, ADSL) is often used as the 
physical transmission method on the subscriber connecting line 
in which the data to be exchanged between the subscribers and 
the central switching device is transmitted, for example, 
within the framework of a packet-oriented or. a cell-oriented 

20 transmission method (the Ethernet and/or the Asynchronous 

Transfer Mode, ATM) . A communication link - also called a link 
- is established between, for example, a network termination 
device and the central switching device within the framework 
of the xDSL transmission method or protocol. For example, in 

25 the case of the ADSL protocol , the ADSL channels and therefore 
the transmission rate are set up accordingly. 

A Local Area Network (LAN) is often located on the subscriber 
side, via which one or more communication terminals (such as, 
for example, a personal computer, a workstation, a server, 
30 multimedia terminals, etc.) allocated to a subscriber in each 
case, are connected to the network termination device 
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allocated to the specific subscribers and, as a result, are 
connected via the subscriber connecting line to the switching 
device or to the DSLAM. The local communication networks or 
LANs located in the subscriber area are embodied for example, 
5 in accordance with the Ethernet transmission method or 

protocol - in accordance with the IEEE 802.3 standard or in 
accordance with II or the Ethernet V2 - designed as a frame- 
oriented or a packet-oriented, connectionless communication 
network. The Ethernet data frames or the Ethernet frames 

10 formed in the subscriber area are inserted into ATM cells and 
transmitted to the switching device or to the DSLAM via the 
subscriber connecting line. The Ethernet data frames 
transmitted by means of the ATM transmission technology to the 
switching device or to the DSLAM are subsequently forwarded 

15 via at least one additional higher-ranking communication 

network connected to it, which can be designed in accordance 
with any packet-oriented or cell-oriented transmission method 
- for example, ATM, IEEE 802.x or the Internet protocol IP. 

For the packet-oriented transmission of data (such as, for 
20 example, the Ethernet frames) via point-to-point connections - 
which can for example be designed as a modem connection, an 
ISDN connection, a frame relay connection, an X.25 connection 
or an SDH connection - the point-to-point protocol (PPP) is 
often used. The PPP consists of the following three 
25 components . 

A method for the transmission of packet-oriented data 
packed accordingly - also called PPP encapsulation. This is 
based on a bidirectional full-duplex transmission, 

Establishing, configuring and testing a transmission link 
30 by using the Link Control Protocol (LCP) , 

Establishing and clearing and configuring different layer-3 
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protocols by using the Network Control Protocol (NCP) . 

PPP can be transported via a plurality of protocols located in 
the lower layers in the OSI reference model such as, for 
example, the x.2 5 protocol, the frame relay protocol, the ISDN 
5 protocol, the ATM protocol as well as the Ethernet and the 
Internet protocol IP. 

The transmission of PPP via communication networks embodied in 
accordance with IEEE 802.3 (the Ethernet) or in accordance 
with Ethernet V2 is also called PPPoE (PPP over Ethernet) and 
10 specified in accordance with RFC 2516. 

The PPP-supported communication passes through a series of 
states: 

However, before, the start of the PPP-supported communication, 
a link between the subscriber (communication device or network 
15 termination device) and the switching device must for example 
be created by means of an xDSL protocol. 

The system is for example "woken up" from the inactive state 
(link dead) by a carrier detect signal, which is usually 
generated by a modem. During the establishment of a 
20 communication link or a virtual connection (link establishment 
phase) , the configuration of the link is set up by means of 
Link Control Protocol (LCP) messages. An authentication phase 
can follow the link establishment • phase , if required. 

By using the Network Control Protocol (NCP) and after an 
25 optional authentication has been implemented, a special 

configuration phase "is performed for each network protocol . 
This is followed by the transmission of useful data- by means 
of the network layer protocol selected in each case. 

The transmission of data can be ended at any time. This can 
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occur because of external events such as, for example, loss of 
the layer-1 connection (loss of carrier) or deliberately by 
exchanging corresponding LCP messages . 

As has already been explained, establishing a connection via a 
5 point-to-point protocol consists of two phases. 

Configuring the link layer with the Link Control Protocol 
(LCP) and 

Configuring the network layer with the Network Control 
Protocol (NCP) . 

10 Optional authentication can take place between these two 
configuration methods. The type of authentication used and 
when it is used is negotiated by using the LCP. Different 
methods for authentication are known, for example: 

Password Authentication Protocol (PAP) 
15 - Challenge Handshake Authentication Protocol (CHAP) 
PPP Extension Authentication Protocol (EAP) ' 

For the authentication/authorization, a special network 
element provided for the purpose in the communication network 
- also called a Network Access Server (NAS) or an access 

20 router - must be informed about the subscriber who would like 
to be authenticated. Instead of this data being stored locally 
in the network access server, a server is often made available 
in the communication network to which a plurality of network 
access servers is allocated in each case. Because of these 

25 allocations, it is possible for a subscriber to login into the 
different locations of the communication network. 

The authentication is undertaken in current communication 
networks by using a radius protocol (Remote Authentication 
Dial In User Service) by means of which a network access 
30 server exchanges data about the authentication, the 
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authorization and the configuration with an authentication 
server (also called a radius server) especially provided for 
that purpose. The authentication server can also deal with 
other tasks, for example, within the framework of collecting a 
5 fee (charge registration) . 

The authentication methods currently used in communication 
networks are mainly based on verifying transmitted user data 
and passwords. However, this can no longer be sufficient for 
the integrity requirements, which are becoming increasingly 
10 important with regard to the transmission of data via 
communication networks . 

The object of the invention is to improve the integrity of the 
transmission of data within communication networks. This 
object of the invention is achieved starting from a method and 
15 a communication system in accordance with the features of 
claims 1 and 13 . 

The essential aspect of the method in accordance with the 
invention for the transmission of data via at least one 
connection of the subscriber located in at least one 
20 communication network consists of the fact that the connection 
data representing the at least one subscriber's connection is 
transmitted to the communication network. The transmitted 
connection data is used to authenticate the data to be 
transmitted via the at least one connection of the subscriber. 

25 The main advantage of the method in accordance with the 

invention is the fact that preferably, additional connection 
data representing the subscriber's connection is made 
available for verification purposes in addition to the 
subscriber-related data (user name and password) that is 

30 usually available for the authentication or authorization of 
the subscriber initiating a communication link via the 
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communication network. Network elements located in current 
communication networks, in particular, the Network Access 
Server (NAS) or the access router usually have no data about 
the port or subscriber's connection or the subscriber 
5 connecting line through which the subscriber is actually 
connected to the communication network. As a result, the 
transmission of connection data represents an additional 
integrity function, thereby improving the authentication of 
subscribers and in this way improving the integrity of data 
10 transmitted via the communication network. 

Advantageously, the data is transmitted in accordance with the 
PPPoE transmission method or protocol in accordance with RFC 
2516 via the at least one subscriber's connection - claim 7. 
Within the framework of the PPPoE protocol, specification RFC 

15 2516 allows so-called "TAGS" so that advantageously the 

connection" data is inserted as the "Relay Session ID Tag" data 
into the "PPPoE Active Discovery" (PADI). messages transmitted 
to the communication network via the at least one subscriber's 
connection - claim 8. This advantageous development does not 

20 represent a further development, but an advantageous 

application of the PPPoE transmission protocol, in which 
already existiifg transmission resources or data fields are 
used in the PADI messages for the transmission of the 
connection data - the PPPoE protocol does not have to be 

25 modified or supplemented. 

Further advantageous developments of the method in accordance 
with the invention as well as a communication system in order 
to improve the integrity of the transmission of data can 'be 
found in the additional claims. 

30 The method in accordance with the invention is explained In 
detail on the basis of the following drawings. They are as 
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follows 

FIG 1 a communication system in which the method in 

accordance with the invention is employed and 

FIG 2 inserting the connection data into the PPPoE 

5 transmission protocol according to the invention 

FIG 1 shows in a block diagram, a switching device VE located 
in a higher-ranking communication network OKN, and said 
switching device VE can be designed as a digital access 
multiplexer device - also called a DSLAM, Digital Subscriber 

10 Line Access Multiplexer. The switching device VE has a 

plurality of subscribers' connections TA - in FIG 1 only one 
subscriber's connection is shown representing a number of 
connections - to which a network termination device NT 
(Network Termination) is connected via a subscriber connecting 

15 line TAL and on the subscriber side. The subscriber's 

connection TA shown in the block diagram forms part of a line 
unit, which has a plurality of these connections - not shown. 
A local communication network LAN designed in accordance with 
the Ethernet transmission method (IEEE Standard IEEE 802.3 or 

20 the Ethernet V2) and allocated to a subscriber is connected to 
the network termination device NT. Via the local communication 
network LAN, a plurality of communication terminals such as 
for example a personal computer and multimedia communication 
terminals are connected via the subscriber connecting line and 

25 via the switching device VE to the higher-ranking 

communication network OKN. A modem is in each case located in 
both the network termination device NT and in the subscriber 
line unit TAE - not shown - through which, in this embodiment, 
an xDSL transmission method such as for example ADSL is used 

30 as the physical transmission method via the subscriber 
connecting line TAL. 
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The switching device VE is connected, via an uplink interface 
US and an uplink connection LNK, to a network access device 
ASR - also called an access router in the following - located 
in the higher -ranking communication network OKN. An 
5 authentication server RADS located in the higher-ranking 
communication network OKN is also allocated to the Access 
Router ASR and in which different functions for the 
authentication and authorization of subscribers initiating 
communication links are likewise performed in said 

10 authentication server RADS. The authentication or 

authorization takes place, for example, in accordance with the 
radius protocol. Access of subscribers is controlled for 
example via the Access Router ASR located locally in an 
Internet Service Provider (ISP) in the Internet IP forming a 

15 component of the higher -ranking communication network OKN. 

The method in accordance with the invention is explained in 
greater detail below. For the subsequent embodiments, 
reference is at the same time made to FIG 2, in which the 
exchange of messages is shown within the framework of the 
20 PPPoE protocol when a communication link or connection is 

established between the participating communication devices. 

It is assumed that a data connection is to be established into 
the Internet IP via the communication terminal KE - for 
example, a personal computer located in an Internet Cafe - 

25 connected to the LAN on the subscriber side. For this purpose, 
the communication terminal KE initiates the establishment of a 
PPPoE connection to the Access Router ASR located in the 
higher- ranking communication network OKN. In this case, the 
communication terminal KE is a PPPoE client and the Access 

30 Router ASR a PPPoE server. "The PPPoE client can also be* 
located in the network termination device NT. Via the 
insertion means EM located in the switching device VE, the 
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PADI packets transmitted by the communication terminal KE are 
identified within the framework of the PPPoE protocol in the 
direction of the Access Router ASR and expanded by default by 
means of the "Relay Session ID TAG" - see point 1 in FIG 2 . 
5 According to the invention, said inserted relay session ID TAG 
represents a connection data port-id - here the port-ID - 
representing the subscriber's connection TA or the subscriber 
connecting line TAL. Via the PORT-ID, the subscriber's 
connection TA or the subscriber connecting line TAL connected 

10 to it is identified unambiguously within the switching device 
or in the corresponding line unit and addressed as a result. 
The PADI packets expanded by the insertion means EM are 
transmitted from the switching device VE via the uplink 
connection LNK to the PPPoE server located in the Access 

15 Router ASR, via which server the PPPoE protocol is terminated 
- indicated in FIG 1 by means of the broken line with the 
arrowhead. Via the PPPoE server, the specific TAG value of the 
relay session ID representing the PORT-ID or the connection 
data contained in the PADI messages is extracted. The 

20 extracted connection data port-id can optionally be stored in 
the Access Router ASR together with the customary subscriber- 
associated authentication data (such as for example the user 
name or user identification and the password) - see point 2 in 
FIG 2 . The connection data port-id extracted in this way is 

25 forwarded from the access router, in the course of the 

authentication to be implemented, to the Radius Server RADS - 
see point 3 in FIG 2 . 

The connection data port-id, together with the additional 
subscriber-associated authentication data, is transmitted to 
30 the Radius Server RADS, for example, within the framework of 
authentication requests and accounting requests, typically 
with the radius attribute 31 "Calling Station ID" specified in 
the standard RFC 2 516. 
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Via the Radius Server RADS, the transmitted connection data 
port- ID can for example within the framework of the 
authentication be compared with the username and password 
transmitted in parallel, thereby increasingly improving . the 
5 integrity of the transmission of data. 

After a successful authentication of the subscriber, the 
Access Router ASR establishes a useful data connection between 
the subscriber and the communication network - here, the 
Internet IP - via which the data is transmitted or exchanged. 

10 The connection data port-id can be transmitted to the 

communication network both during the establishment of a 
communication link such as for example a PPP connection and 

o 

during the entire existence of the communication link. 

The connection data port-id can also be transmitted within the 
15 framework of another transmission protocol ? such as for 
example : 

- PPTP Point-to-Point Tunneling Protocol 

- L2PT Layer-2 Tunneling Protocol 



